GDPR

ExpenseIn and the General Data Protection Regulation.

Introduction

The GDPR is the largest change in data protection law since the introduction of the EU Data Protection Initiative in 1995. The aims of the GDPR are simple; improve the security and protection of personal data. The new regulations replace the previous Data Protection Directive and ExpenseIn welcomes this change. Protecting our customer’s data is of the utmost importance to us and ensuring our compliance with the GDPR has been our number one priority.

The GDPR brings a number of significant changes to the previous Data Protection Initiative including, but not limited to, increased territorial scope, stricter penalties for failing to meet the requirements and stronger conditions for consent. In addition, the rights of data subjects have been substantially improved and as a result now have the right to access data, request data be removed and that they be notified within 72 hours of a known data breach.

ExpenseIn and the GDPR

Dedicated GDPR committee

Chaired by our Data Protection Officer, ExpenseIn has setup a GDPR committee to monitor and assess our ongoing compliance with the GDPR.

Privacy assessment

We have updated our Privacy Policy to provide full transparency of the data we store, how we store it and who we share it with.

Policy and contracts review

We have undertaken a review of all our internal policies and processes as well as supplier and customer contracts to ensure GDPR compliance is maintained throughout.

Enhanced security features

We have added a number of enhanced security features including two-step authentication, increased system notifications and auditing, and improved password controls.

Employee training

We have invested in a dedicated training program to ensure that all of our employees have an in-depth understanding of the GDPR and information security best practices.

Data audit and retention controls

From our employees to our customers, we have carried out a full data audit in addition to implementing a formal data retention process.

Compliance throughout

ExpenseIn only engages with suppliers who share our commitment to security and data protection. By working with leading providers such as Amazon AWS and SagePay we ensure that our entire service meets the levels demanded by both the GDPR and our customers.

Frequently asked questions

When did the GDPR come into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016 and officially came into force 25th May 2018. Leading up to the deadline, companies inside and outside of the EU have been preparing for the new data regulation.

What are the penalties for failing to comply?

Companies can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of privacy by design concepts.

Who does the GPPR apply to?

It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What constitutes personal data?

Any information related to a person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Does the GDPR require personal data to stay in the EU?

No, the GDPR does not require personal data to stay in the EU however, all companies processing EU personal data, whether inside or outside the EU, must comply with the GDPR.